AAL2VerifyMessageSignatureICSF

Mis à jour le 22 Jan 2025
5 Minutes à lire

Partager
Sombre
Lumière
PDF

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

Function prototype

aat_int32 AAL2VerifyMessageSignatureICSF (
                                    TDigipassBlob*  DPData,
                                    TKernelParms*   CallParms,
                                    aat_ascii       *aStorageKeyNameIn,
                                    aat_ascii       *aInitialVectorIn,
                                    aat_int32       MessageExpirationTime,
                                    aat_ascii*      Signature,
                                    aat_ascii*      SignedMessage,
                                    aat_int32       DeferredSignatureData
                                    aat_ascii*      ConfirmationCode,
                                    aat_ascii*      ConfirmationCodeLength);

Description

This function verifies the signature provided by the Digipass device:

in response to Activation Message 2 (generated with AAL2GenMessageActivation2ICSF) during the multi-device activation process
or in response to the request message (generated with AAL2GenMessageRequestICSF) during a Secure Channel request process (optionally; depending on whether the request requires a signature validation or not).

In case of verifying the signature of an Activation Message 2, the authenticator application BLOB used for the validation must correspond to the crypto application of the Digipass instance defined for the post-activation step. Information on the crypto application used for post-activation is part of the Digipass client configuration.

In case of verifying the signature of a request message (that contained a Secure Channel transaction), the authenticator application BLOB used for the validation must correspond to the crypto application of the Digipass instance selected for signing the message. Information on the crypto application selected for signing the message is part of the request body; it allows the Digipass device to perform the operation with the proper application.

The OnlineSG kernel parameter is also applied to the present function and is used as described in the OneSpan Authentication Suite Server SDK C-C++ Programmer's Guide.

Signed message optional expiration check

This function allows optionally checking a maximum amount of time authorized since the generation of the Activation Message 2 or request message for which the signature validation is performed. This message time validity check depends on the MessageExpirationTime parameter.

If MessageExpirationTime = 0, the function will not perform any message time validity check.

If MessageExpirationTime > 0, MessageExpirationTime represents the maximum amount of time (expressed in seconds) authorized since the generation of the message (Activation Message 2 or a request message).

The instances of Activation Message 2 or request messages must have been MANDATORILLY generated by Authentication Suite Server SDK version 3.15.1 or later if checking the time validity (i.e. MessageExpirationTime > 0).
The timestamp of the generation time is embedded in the instances of Activation Message 2 and request messages only since Authentication Suite Server SDK 3.15.1.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based message signature validation which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the signature, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifyMessageSignatureICSF) for more details.

Parameters

Table: Parameters (AAL2VerifyMessageSignatureICSF)
Type	Name	Use	Description
TDigipassBlob *	DPData	I/O	authenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *	CallParms	I	Structure of runtime parameters to use during this function call.
aat_ascii *	aStorageKeyNameIn	I	String of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the ICSF storage key used to encrypt the sensitive Digipass application BLOB data.
aat_ascii *	aInitialVectorIn	I	String of 16 hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the initial vector used to encrypt the sensitive authenticator application BLOB data.
aat_int32	Message expiration time	I	Must be mandatorily equal or greater to 0. If MessageExpirationTime = 0: No message time validity check. If MessageExpirationTime > 0: MessageExpirationTime represents the maximum amount of time (expressed in seconds) authorized since the generation of the message (Activation Message 2 or a request message).
aat_ascii *	Signature	I	String of up to 17 numeric characters, left-justified, null-terminated, or right-padded with spaces.
aat_ascii *	SignedMessage	I	Hexadecimal character string containing the message that has been used by the Digipass device to generate the signature. String length must be a multiple of 2. This can be either an Activation Message 2 or a request message.
aat_int32	DeferredSignatureData	I	Must be 0 if signature is validated in online mode (OnlineSG=1 or 2). If signature is validated in offline mode with OnlineSG=0, this parameter can receive the Digipass date of the signature generation (number of elapsed seconds since January 1, 1970) or 0. (With 0, the current time is used.) If this parameter is >0, the filled parameter must be the Digipass time, not the host time. If the signature is validated in offline mode with OnlineSG=3, this parameter must receive counter of the Digipass instance used for the signature generation.
aat_ascii *	ConfirmationCode	O	String of up to 16+1 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the confirmation code generated by Authentication Suite Server SDK for this signature.
aat_int32 *	ConfirmationCodeLength	O	In input, this parameter must indicate the size of the allocated buffer for the ConfirmationCode parameter (recommended 17 bytes). In output, this parameter indicates the length of the ConfirmationCode string (without the null-terminated character).

COBOL calling convention

Entry point: AA2VMSIC
02   W-BLOB                    PIC X(248).
02   W-KERNELPARMS.
     03  W-PARMCOUNT           PIC 9(8) USAGE BINARY.
     03  W-PARM01              PIC 9(8) USAGE BINARY.
     . . .
     03  W-PARM19              PIC 9(8) USAGE BINARY.
02   W-CONFIRMCODE             PIC X(17).
02   W-CONFCODE-LENGTH         PIC 9(8) USAGE BINARY.
02   W-RETURN                  PIC S9(8) USAGE BINARY.
02   W-SIGNATURE               PIC X(17).
02   W-SIGNED-MESSAGE          PIC X(nnnn).
02   W-MESSAGEEXPIRATIONTIME   PIC 9(8) USAGE BINARY.
02   W-SIGNATUREDATA           PIC 9(8) USAGE BINARY.
02   W-STORAGEKEY              PIC X(65).
02   W-INITVECTOR              PIC X(17).
02   W-API-NAME                PIC X(8) VALUE 'AA2VMSIC'.
. . .
     CALL W-API-NAME USING
           BY REFERENCE W-BLOB
           BY REFERENCE W-KERNELPARMS
           BY REFERENCE W-STORAGEKEY
           BY REFERENCE W-INITVECTOR
           BY VALUE W-MESSAGEEXPIRATIONTIME
           BY REFERENCE W-SIGNATURE
           BY REFERENCE W-SIGNED-MESSAGE
           BY VALUE W-SIGNATUREDATA
           BY REFERENCE W-CONFIRMCODE
           BY REFERENCE W-CONFCODE-LENGTH
           RETURNING W-RETURN

Return codes

Table: Return codes (AAL2VerifyMessageSignatureICSF)
Code	Meaning	Code	Meaning
0	Success	1116	Response check digit not allowed
10001	Success with context warning*	1117	Challenge check digit not allowed
10002	Success with user warning*	1118	Unsupported BLOB
10003	Success with user & context warning*	1299	Signed message not hexadecimal
10004	Success with platform warning*	1300	Invalid signed message length
10005	Success with platform & context warning*	1301	Invalid signed message pointer
10006	Success with platform & user warning*	1309	Application can not be used for Secure Channel transactions
10007	Success with platform & user & context warning*	1337	Unsupported message protocol version
1	Signature not verified	1339	Invalid message length
132	Unsupported token type	1363	Invalid message expiration time value
139	Invalid signature pointer	1364	Message time validity expired
141	Invalid field count	-102	Data field too long
203	Sign error threshold reached	-103	Data field check digit wrong
204	Duplicate signature found	-105	Challenge minimum length not allowed
205	Inactive days reached	-106	Challenge maximum length not allowed
206	Chronological signature error	-107	Challenge number wrong
207	Deferred signature not allowed with OnLineSG not Null	-108	Challenge character invalid
208	Application disabled	-201	Response length out of bounds
412	Invalid checksum (software)	-202	Response too short
413	Invalid Base64 format	-203	Response too long
414	Invalid checksum (HSM)	-204	Response check digit wrong
510	Invalid Digipass data pointer	-205	Response character not decimal
900	Invalid session context handle	-206	Response character not hexadecimal
908	HSM key not found	-207	Response character set not specified
951	Invalid HSM key type for HSM decryption	-1501	Memory allocation failed
1103	Unlock Version 2 not supported

* Specific score-based authentication codes; for more information, refer to Score-based Digipass

Cet article vous a-t-il été utile ?

What's Next

AAL2VerifyPasswordEsICSF

Table des matières

Function prototype
Description
Parameters
COBOL calling convention
Return codes